[Snort-users] http_inspect question

Rich Adamson radamson at ...2127...
Wed Feb 2 12:38:37 EST 2005


Been around snort since v1.8 and have read the README.http_inspect and
the manual relative to the http_inspect preprocessor.

Questions:
1. In a small network environment with _no_ internal web server, does the
http_inspect preprocessor have any value?  
(Currently seeing a number of alerts resulting from the generic 
definitions, all of which are associated with user workstations
accessing external web sites. None of which seem to have any value.
If I disable the preprocessor, will that impact any of the web-based
rules? Will web rules based on External_Net -> Home_Net be interpreted
correctly?)

2. All of the documentation suggest the preprocessor is intended to
identify issues associated with a web "server" (presumably internal).
Are there any reasonable cases where the preprocessor should be defined
for external web servers when snort is located inside a Bank (as an
example only)?

Comments?






More information about the Snort-users mailing list